These findings come from a survey of 235 mostly-US companies by the IT Policy Compliance Group (IT PCG) as reported in Info. Mgt., Vol. 43, Jan./Feb. 2009 at 10 (See my post of Feb. 6, 2009: savings from the various practices; and Feb. 7, 2009: costs of litigation hold practices.).
- Notify affected employees of legal holds on information within one hour
- Maintain evidence about the handling of information
- Inventory and index information for rapid search
- Respond to legal requests within one day
- “Improve the quality of legal counsel”
- “Track results to make subsequent improvements.”
- “Train employees.”
- Perform sound lifecyle management for legal information
- Update record retention and destruction policies
- Identify gaps in procedural and technical controls
- Convert information into electronic formats
- Increasing the frequency of monitoring and measurements
- Correct gaps in procedural and technical controls
The first four practices I found on the blog of IT PCG. Practices 5-7 I quote from Info. Mgt., Vol. 43, Jan./Feb. 2009 at 10. The next two practices were described later in that article. Practices 10 through 13 come from a press release about the study that Symantec issued in September 2008. (Semantic helps fund the Group)
The author of the survey, Jim Hurley, Jhurley@itpolicycompliance.com explained part of the methodology in an email to me. “The practices are simply cross tabulations based on the performance outcomes, with least mature being related to worst outcomes, and most mature being directly related to best outcomes. Thus, the maturity of practices is based on outcomes.”
No one can disagree that the 13 “practices” are commendable, but they are so high level as to not be implementable. If the Devil is in the details, these need Dante’s Inferno.